Re: move "Organizational CA" from a NetWare-Server to a OES2018-Server

It may be easier to create a new CA... But this would depend on whatcertificates are in use and potential outages, etc.

How many servers are in the tree?Any user certificates or just server based certificates?When does your CA expire?Are you using the certificates for anything other than LDAP?If only for LDAP, how many applications would be impacted?

Re: move "Organizational CA" from a NetWare-Server to a OES2018-Server

It depends under which NICI/NMAS/PKI build the CA was initially built.

After some version (I long ago forgot the detail) you could export the CA's private key, so you could export and import it to a new server. However, if you have a CA built on NW65 odds are good th e10 year span of the CA is pretty darn near ending as well.

Easiest would be to create a new CA. You will have to recreate all existing gcerts (which is easy for servers, since iManager will recreate default certs). But then you have to consider any OTHR certs in use somewhere.

And any thing that trusts your CA will need to import the new CA to their truststore. So it really depends.

Re: move "Organizational CA" from a NetWare-Server to a OES2018-Server

Hello *,the existing Certificate is Version 3 - Signature algorithm: Sha1 With RSA - 2048 bitsThe certificates expire in March 2020.There are six NetWare6.5-Servers, three OES-11.3-Serves and four OES2015.1-Servers in the tree.I would install an additional OES2018-server in the tree, first ...[By the way, the NetWare-Servers are holding partition-replicas ... Can we add new replicas to the OUE2018-Server (compatibility eDir8.8SP5, eDir9.1)? ]There are just server based certificates.The Certificates are used for LDAP and IDM-Driver (Identity-Management) from a separate Tree.Kind regardsOskar

Re: move "Organizational CA" from a NetWare-Server to a OES2018-Server

You have to recreate the CA next month anyway. Be proactive and do it early now. 🙂

IDM driver ones will continue to work (until March) I think, since the Cert does not have to be deleted and there is no 'live' query to the CA to validate them. But since the CA dies in March, you would have to recreate the IDM driver ones as well. (This means distributing the new CA public key to the Remote Loaders as well but you have to do that in March anyway).

Re: move "Organizational CA" from a NetWare-Server to a OES2018-Server

Hello *,thanks for your reply. That's what I supposed also.OK - I have to recreate the CA anyway.But, I am scared of the compatibility: There are NetWare6.5-Servers (with eDir 8.8 SP5 IR 8.8.5.6) holding rw-replicas of all partitions. The new OES2018-Server has eDir v9.1.Probably it woud be better to install two OES2018-Server in the tree, first; make these two OES2018-Servers to the master- and RW-replica-server; delete the replicas from the NetWare-Servers andRecreate then the new CA.Is this a good plan?

Re: move "Organizational CA" from a NetWare-Server to a OES2018-Server

Hi,

the eDir2eDir driver does check CRLs if your server certificates have a Certificate Revocation List Distribution Point extension in them. So be sure to keem them alive if you continue to use the old certs.

I learned that when one customer turned off port 389 in response to a security scan but had all its certificates minted with an ldap://... CRLDP.

Re: move "Organizational CA" from a NetWare-Server to a OES2018-Server

Hello *,

we succeeded in creating a new Org-CA. All OES- and NetWare-server have new valid certificates (but the "*EC*" certs - they show "Invalid: CRL Decode Error"). We used "ndsconfig upgrade" on Linux-Servers and "pkidiag" on NetWare-Servers.

We hope EC-Certs are not needed for basic usage (although we use eDir2eDir-Synch) ...?

Then, we moved all the Partition-Replicas from NetWare6.5SP8-servers to OES2015/2018-Servers. All replicas are in sync ...

There is only one problem left (but a big one) :After restarting a NetWare-Server, the users cannot map drives to this NetWare-Server (NCP).

Re: move "Organizational CA" from a NetWare-Server to a OES2018-Server

Secret Store is not per se needed on a Read Only replica.

You could rename the NLM files on Netware and they will fail to load. I forget if they are autoloaded by nds, in which case hmm... Been a while since I dealt with Netware... On Linux there is a file that lists the modules to autoload, not sure I remember how it worked on Netware.

But the Secret Store not loading is unlikely the issue, the R/O replica is more likely the cause.

Re: move "Organizational CA" from a NetWare-Server to a OES2018-Server

Hello geoffc,thank you for reply.hmm - this server had no replicas (wether RO nor RW or Master). I tried to not load sss.nlm (and the associated NLMs one by one). But this did not work either.

I have to add all Partitions as RW-Replicas to this NetWare-Server. Then (and only then) are the NSS-Volumes accessable. Now, there are NetWare-Server and OES2018-Server holding RW-Replicas of the Partitions. This is what I wanted to avoid mainly. 😞

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.